Linking Acorn Apps with Azure Database for PostgreSQL

by | Jan 6, 2023

Spread the word

This tutorial continues the series on running Acorn apps in Azure AKS. In the last part, we explored how to secure Gitea through a TLS-enabled endpoint. In this part, I will extend the scenario to connect the stateless Gitea frontend with Azure Database for PostgreSQL.

Before going ahead, make sure you finish the steps explained in the previous tutorial. It’s a prerequisite for this part. 

Step 2 – Deploying Azure Database for PostgreSQL

Before we can link the Acorn app to an external database, we will need to provision an instance of Azure Database for PostgreSQL, which is a managed database from Microsoft.

Since we are running the Acorn app in an AKS cluster, it makes sense to have the database in Azure and, specifically, the same region where our Gitea application is running. 

Run the below commands to initialize the parameters:

resourceGroup="acorndemo"
server="gitea-acorn"
login="postgres"
password="[email protected]"
database="gitea"

Notice that the resource group is the same as the AKS cluster. The below command provisions the PostgreSQL database:

az postgres flexible-server create \
	--name $server \
	--resource-group $resourceGroup \
	--admin-user $login \
	--admin-password $password \
	--database-name $database \
	--high-availability disabled \
	--public-access 20.219.112.182-20.219.112.182 \

The switch --public-access 20.219.112.182-20.219.112.182 ensures that only the Gitea application exposed through the ingress/load balancer combination with the IP address can access the database. This reduces the blast radius by explicitly enabling access to the web application. 

We also need to disable TLS access to the PostgreSQL database for simplicity. But, if you running in the production environment, it’s highly recommended to keep this enabled. 

az postgres flexible-server parameter set \
	--name require_secure_transport \
	--resource-group $resourceGroup \
	--server $server \
	--value OFF

By the end of this step, you should have a PostgreSQL database provisioned with the secure transport option disabled.

Notice that the PostgreSQL database is available at gitea-acorn.postgres.database.azure.com endpoint. 

In the next step, we will create the required resources and link the Gitea Acorn app with this database.

Step 3 – Creating Kubernetes Resources for Linking the External Database

Just to recap, our Acornfile looks like the following:

containers: {
	db :{
		image: "postgres:alpine"
		env: [
				"POSTGRES_USER=secret://db-user/username",
				"POSTGRES_PASSWORD=secret://db-user/password",
				"POSTGRES_DB=gitea"
			 ]
		dirs: "/var/lib/postgresql/data":"volume://db?subpath=data"
		ports: {
			expose: "5432/tcp"
		}
	}
	gitea: {
		image: "gitea/gitea:latest"
		env: [
				"DB_TYPE=postgres",
			 	"DB_HOST=db:5432",
			 	"DB_NAME=gitea",
			 	"DB_USER=secret://db-user/username",
			 	"DB_PASSWD=secret://db-user/password"
			 ]
		dirs: "/data": "git"
		ports: {
			publish: "3000/http"
		}
		dependsOn: ["db"]
	}

}

secrets: {
	"db-user": {
		type: "basic"
		data:{
		    username: ""
		    password: ""
		}
	}
}

volumes: {
   db: {}
   git: {}
}

From the definition, it’s clear that the Gitea app depends on the container based on the postgres:alpine image. We aim to keep the Acornfile as is but link the Gitea app with the Azure Database for PostgreSQL provisioned in the previous step. 

The first step is to create a service that acts as a pointer to the external database. We will create a service of type ExternalName, adding the FQDN of the database endpoint. 

Create the below file and apply it to the Kubernetes cluster: 

apiVersion: v1
kind: Service
metadata:
  name: az-pgsql-db
  namespace: acorn
spec:
  type: ExternalName
  externalName: gitea-acorn.postgres.database.azure.com

The second step is to create a secret that has the username and password to access the database. In the previous step, we initialized the environment variables for the database credentials. Let’s encode them in base64 and create a secret from the values. 

login="postgres"
password="[email protected]"

Create a secret with the base64 values:

apiVersion: v1
kind: Secret
metadata:
  name:  az-pgsql-sec
  namespace: acorn
type: Opaque
data:
  password: R2l0ZWFEQkAxMjM=
  username: cG9zdGdyZXM=

The keys under the data section must match the keys defined under the secrets in the Acornfile. 

Note that the service and the secret are created in the acorn namespace.

Step 4 – Linking Gitea Acorn App with Azure Database for PostgreSQL

With everything in place, we are all set to launch the linked application. Run the below command to link the database service and the secret created in the previous step. 

acorn run  \
--name scm \
--publish git.cloudnativelabs.in:gitea \
--link az-pgsql-db:db \
--secret az-pgsql-sec:db-user \
--file ./Acornfile 

Wait for the application become available at https://git.cloudnativelabs.in

You can access the Gitea initialization screen by accessing the URL.

Since we have successfully decoupled the stateless app (Gitea) from the stateful service (PostgreSQL DB), we can now easily scale the application for high availability and performance. 

This concludes the tutorial on linking Acorn applications with external resources.  To learn more about using Acorn, visit our getting started guide, or join us for an upcoming meetup or training.

Janakiram is a practicing architect, analyst, and advisor focusing on emerging infrastructure technologies. He provides strategic advisory to hyperscalers, technology platform companies, startups, ISVs, and enterprises. As a practitioner working with a diverse Enterprise customer base across cloud native, machine learning, IoT, and edge domains, Janakiram gains insight into the enterprise challenges, pitfalls, and opportunities involved in emerging technology adoption. Janakiram is an Amazon, Microsoft, and Google certified cloud architect, as well as a CNCF Ambassador and Microsoft Regional Director. He is an active contributor at Gigaom Research, Forbes, The New Stack, and InfoWorld.


Spread the word